GSC-8022 SOURCE:TSACC TITLE:Formal Methods for Quality of Standards, Conformity Assessment and Security AGENDA ITEM:GTSC Formal Methods for Quality of Standards, Conformity Assessment and Security O. Monkewich, Ph.D., P.Eng. OMC International Phone: Fax:

17 October 2015GSC-8, OTTAWASlide 2 Formal Methods and Security Error-free, unambiguous standards specified using SDL, MSC, ASN.1 and TTCN with formal syntax and semantics Tools based on formal syntax and semantics are certifiable as trusted tools by accredited organizations Machine-generated, tool-specific source code is difficult to understand or modify by attackers Source descriptions in SDL are easy to review by non- programmers – benefit from “many eyes” reviews Conformity assessment can find malicious content and vulnerabilities – test suites can be widely available Manual work offloaded to trusted tools.

17 October 2015GSC-8, OTTAWASlide 3 Understandability of open source code Figure 1 – (a) Illustrates an SDL process which adds two numbers, a and b, and return their sum. (b) is the corresponding hand-written code in the C programming language. The examples illustrate language readability characteristics from the point of view of the non-programmer. #include void main() { int x, y, sum; int calc(int, int); puts("\nPlease enter two integers:\n"); scanf("%d", &x); scanf("%d", &y); sum = calc(x,y); printf("\nThe sum of the two numbers you entered is: %d", sum); } int calc(m,n) int m, n; { int s; s = m + n; return (s); } number1, number2 DCL a,b,sum Integer; WaitForNumber1 number1(a) WaitForNumber2 number2(b) sum := CALL Add(a, b) result(sum) sum Add sum := a + b sum (a)(b)

17 October 2015GSC-8, OTTAWASlide 4 A common vulnerability can be detected with conformance testing (a) ANY WEB SITE VICTIMATTACKER SYN/ACK RESET SYN Figure 2 – A common attack method using TCP/IP SYN packets to transfer a covert program one ASCII character at a time. Figure 2 (a) shows how packets can be bounced off any Web site to make detection of the attacker more difficult; Figure 2 (b) represents the TCP packet format showing the Sequence Number field. (b)

17 October 2015GSC-8, OTTAWASlide 5 TCP Packet Sequence Number Conformance Test in TTCN Figure 3 - a test case in TTCN derived from SDL to test the value of the Sequence Number field in the TCP SYN packet.

17 October 2015GSC-8, OTTAWASlide 6 TCP Packet in ASN.1 and Constraint Figure 4 - ASN.1 representation of the TCP packet named TCP_SYN and the corresponding TCP_SYN1 with the field values filled in.

17 October 2015GSC-8, OTTAWASlide 7 Buffer Overflow Figure 5 – The normal program memory stack with two buffers intended to accept user input, such as credit card number, can be overwritten with attacker’s code. For attacker’s code to work, the attacker must know and understand the victim’s code. This is difficult for the attacker to achieve due to the nature of machine-generated code and the need for special tools to change the code. Formalisms that define language syntax and semantics makes it possible to prove the correctness of the language typing rules so that no data can flow into places not capable of holding it. Buffer 2 Buffer 1 Return Pointer Buffer 2 Attacker’s Machine Code New Return Pointer Fill Direction Memory Pointer (a)(b)

17 October 2015GSC-8, OTTAWASlide 8 ASN.1 code portability and Trusted Tools What is placed on the wire to transmit “John Smith”? Inside the protocol, define the variable type “Name” in ASN.1: Name := SEQUENCE { FirstName PrintableString, LastName PritnableString } Assign values to the variables FirstName and LastName: FirstName := ‘John’ LastName := ‘Smith’ The variable “Name” encoded as BER sequence in Hex: … … J o … S m Converted into a binary stream of zeros and ones: (Seq_Class) (No_Bytes) (Printable_Str) (No_bytes) (John) (Printable_Str) (No_bytes) (Smith) A 6F 68 6E D Figure 6 – Using ASN.1 and Basic Encoding Rules (BER) to encode “John Smith” for transmission. This is done using trusted tools – no errors due to manual coding.

17 October 2015GSC-8, OTTAWASlide 9 RFC Data Format This non-standard data format is dominant in the Internet literature today. It is changed in arbitrary ways by authors, usually to fit the page. This format cannot be compiled or validated. ASN.1 can be compiled and validated. Figure 7 – The tabular form of specifying packet structure and content is dominant in the literature today, but, machines cannot understand it.

17 October 2015GSC-8, OTTAWASlide 10 Conclusions Several aspects of network security can be improved through the use of –Higher quality protocol and test suite Recommendations specified in SDL, ASN.1, MSC and TTCN –Trusted tools based on SDL, ASN.1, MSC and TTCN for specification, validation, code generation and testing –Machine-generated code is error-free and difficult to modify by intruder –Conformance tests traceable to specification can detect malicious code

17 October 2015GSC-8, OTTAWASlide 11 Resolution That ITU-T Study Groups will apply Recommendation A.3 Supplement 1, Guidelines on the Quality Aspects of Protocol Related Recommendations, when developing new protocol related recommendations That ITU-T TSB will provide technical support and tools for the development and maintenance of complex Recommendations That companies that participate in GSC member organizations will make use of commercial tools based on formal methods in their reviews of draft Recommendations That companies that participate in GSC member organizations will promote the use of formal languages and tools in IETF